Botless Botnets

From Bobs Projects
Jump to: navigation, search

"Botless Botnets" is a project to examine how to build a "botnet" without "bots".

Contents

Overview

According to Wikipedia, a botnet is "is a collection of internet-connected programs communicating with other similar programs in order to perform tasks.".

More generally, a botnet is a collection of "zombie" computers that may have been compromised to participate in the "net". The key resource of interest to a "bot-herder" is the zombie computer's IP(v4) address, from which various forms of attack can be launched onto the Internet. Other key resources of interest may be CPU cycles or storage capacity, but both of these are relatively abundant (and hence cheap) and so may not be worth stealing from unsuspecting users.

The question to investigate is can an intervening router can be compromised to allow traffic from other sources to be Source-NAT'd (SNAT'd) over the top of existing legitimate IP(v4) traffic? Can it be done without the legitimate operator of the router being aware? Can the it be done in such a way that the legitimate operator can plausibly deny that they knew it was happening?

Trivial Cases

Some trivial cases enabling the stealing of IP(v4) addresses without compromising a "victim" client are:

  • Compromising a domestic router
  • Wi-Fi hijacking

Compromising a domestic router is somewhat interesting, but will only gain a single public IP(v4) address per router. If such a compromise could be stealthily deployed to a large number of such routers, it might make more sense.

If a domestic Wi-Fi network can be compromised, then borrowing an IP(v4) becomes a lot more trivial, especially if the hardware doing it is able to simultaneously compromise multiple Wi-Fi networks from one location.

Project Milestones

Proof of concept

Show that an IP(v4) router can be configured etc. to perform the IP(v4) stealing "attack".

Strongly recommend investigating using a Linux-based router initially. Need 4 "actors":

  • the router
  • the target server
  • the "victim" client
  • the "attacking" system

Can all be implemented using VirtualBox or similar virtual machines. Need to use RFC 1918 address ranges for proofing.

This, simplified, scenario assumes that both the "victim" client and the "attacking" system are wanting to access the same target server, which may be somewhat of a corner case, but an important one nonetheless.

Questions:

  • can a Linux router do this with no new code (ie. just using iptables rules etc.)?
  • if code is required, can it be hidden in existing connection tracking/NAT code?

Scope

Can some/any other, "industrial-strength", router be configured to do the same thing? Does it require a firmware download?

Detection

Can the "victim" client detect that some other entity might be sharing it's IP(v4) address?

Can the target server detect that it is getting connections from a legitimate client and the "attacking" system?

Evaluation